Friday, November 7, 2008

How to build a VLAN router on Linux

First of all, lets go through the reason why we have VLANs on a linux box.

Say you have multiple isolated networks that need to access the internet. You can either have one internet connection for each network or one internet connection to be shared by all the different network. Obviously the former is not cost effective. How do you convince your boss to get multiple internet connections?

To set up the latter, you will need a router with more than 2 interface. The number of networks you have, including the one with the internet connection will be the number of network interface you need. So if you have 4 isolated network, you will need 5 interface which normally equals 5 network cards. Here is where the problem lies. What if your machine do not have enough slots to accommodate that many cards?

To counter the lack of slots available, you can get multiple interface network card. Here lies another problem. First, the cards are not cheap. A four interface network card will cost you approx 8x more than buying 4 separate cards. Second, even if you can get the budget approved for it, what if you have 40 different networks, just to be exaggerating? Even with multiple interface network card, your machine may not have enough slots to fit 40/4=10 of those cards.

A more simpler and cost effective way is by using VLAN to add virtual interface on top of a physical one. All you need is two network cards to build yourself a multiple interface router.

The question most would ask is, is it stable? If you ask me, from experience, if you have a stable machine and a stable network card, then you should not be worried.

You have to be familiar with VLAN before you find this guide useful. If you are, then proceed on.

By default, all interface on linux box will be an untagged VLAN, therefore it depends what untagged VLAN you set on the other end, normally a switch port. If the switch port is set to VLAN 1 untagged, then the interface it is connected to will be VLAN 1 as well.

For this example, I will show configurations more suitable for SUSE which supports VLAN by default but it should work the same on other distros. Once you install SUSE 10 on a machine with two interface cards and assign IP addresses accordingly, choose the interface that you want to have multiple vlan on eg eth1

Connect interface eth0 to the internet modem and connect interface eth1 to a switch port configured as VLAN 1 untagged and VLAN 2 tagged. Because of this, eth1 will be VLAN 1 as default.

VLAN 1 untagged is assigned network 192.168.0.0/24 and VLAN 2 tagged is assigned network 192.168.1.0/24.

Internet <> eth0 <> Suse 10 <> eth1<>VLAN 1

The next thing we need to do is to add the virtual interface on the physical interface of eth1. Since eth1 is VLAN 1 untagged, then you cannot add a virtual interface with VLAN 1 anymore. Following the example above, you can only add VLAN 2

To add an virtual interface, we use the command vconfig

vconfig add eth1 2

The syntax is vconfig [options] [interface] [vlan]

Confirm that the interface is added

ifconfig

You should see something like this

eth0 Link encap:Ethernet HWaddr 00:11:25:22:10:9c
inet addr:200.201.1.0 Bcast:200.201.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4899 errors:0 dropped:0 overruns:0 frame:0
TX packets:10277 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:526908 (514.5 Kb) TX bytes:5725852 (5.4 Mb)

eth1 Link encap:Ethernet HWaddr 00:11:25:22:10:9B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4899 errors:0 dropped:0 overruns:0 frame:0
TX packets:10277 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:526908 (514.5 Kb) TX bytes:5725852 (5.4 Mb)

eth1.2 Link encap:Ethernet HWaddr 00:11:25:22:10:9B
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4899 errors:0 dropped:0 overruns:0 frame:0
TX packets:10277 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:526908 (514.5 Kb) TX bytes:5725852 (5.4 Mb)

As you can see, now you have an additional interface which is virtual interface eth1.2 on top of the two physical interface eth0 and eth1. The number after the dot is the VLAN number so for eth1.2, 2 = VLAN 2

Next give interface eth1.2 an IPv4 address

ifconfig eth1.2 192.168.1.1 netmask 255.255.255.0

Again, confirm the settings

ifconfig

It should look something like this

eth1.2 Link encap:Ethernet HWaddr 00:11:25:22:10:9B
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4899 errors:0 dropped:0 overruns:0 frame:0
TX packets:10277 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:526908 (514.5 Kb) TX bytes:5725852 (5.4 Mb)

You can confirm if the VLAN interface is up and running by pinging the IP address of the new VLAN interface

ping 192.168.1.1

It should give a reply. That's it! You can add as many VLANs as your other end can support.

Oh, just remember to turn on routing by making sure the file

/proc/sys/net/ipv4/ip_forward

has a 1 on it.


Optional

If you have a dhcp server on the same machine, you can also lease out IP addresses on multiple VLAN interface. The scope of the DHCP configuration is out of this guide but a common addition to /etc/dhcpd.conf file is simply to add another subnet settings

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;

Lastly, edit /etc/sysconfig/dhcpd to include the new vlan interface

DHCPD_INTERFACE="eth1 eth1.2"

You can see if your DCHP is working fine by running tcpdump

tcpdump -i eth1.2

If you've set everything correctly, your clients will be receiving the right lease on the right interface

No comments: